Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LAN Design Recommendation

I need some advice and a sanity check.

Please look at the drawing.

I need the following functionality:

1.) Local wireless access to LAN 2

2.) VPN access to LAN 2 from the outside

I do not want clients to access LAN 2 through LAN1's wireless. In other words, I want two separate wireless networks because access to LAN 2 is very important and I do not want any other user traffic interfering. So, the solution is to just connect a wireless router to a switch on LAN 2. Clients needing to access LAN 2 will associate to the LAN 2 wireless router and go out the LAN interfaces to the hosts on LAN 2. Easy enough, I guess.

For remote access, I am thinking of a VPN appliance - would much rather have SSL than IPSec. Dont want to have to bother with VPN clients. I think Ciscos ASA 5505 offers an SSL agent to terminate SSL sessions. This way users can just use a browser and 443 to the outside interface of the ASA, enter the log on credentials, get a local IP address off of LAN 2's DHCP scope and access any host on LAN 2 as if they were sitting right there.

As for the public addresses, they would be doled out according to the diagram.


Thoughts?

13 REPLIES
New Member

Re: LAN Design Recommendation

New Member

Re: LAN Design Recommendation

Would really appreciate some feedback.

Thanks you

Hall of Fame Super Blue

Re: LAN Design Recommendation

Couple of things -

1) the public IP's. Do you have enough to create 2 separate subnets because you will need them in your design unless you plan to NAT the SSL VPN applicance on the router ?

2) Is the DSL modem an ethernet presentation ? If so a possible alternative solution is simply to terminate it into an ASA device and get rid of the router. You don't want LAN 1 talking to LAN 2 anyway so a firewall would be ideal. I'm not sure what the router is giving you in this design.

Routers can do things that ASAs can't such as PBR, default-routes out of 2 separate interfaces etc. but with only one internet connection i can't see any need for those things. Using an ASA to terminate the internet connection would also simply your use of the public addressing ie. you only need it on the outside interface now as the ASA is also the SSL VPN applicance.

Jon

New Member

Re: LAN Design Recommendation

Jon, using the ASA to play a dual role as router and SSL VPN terminator/server is feasible, I guess. As long as it can support the needs of both LANs.

LAN 1 is a wireless network for the users in the office. So, the ASA would have to do a PAT for outbound Internet users on LAN 1.

For LAN 2, the ASA's outside interface will have to act as the SSL VPN termination interface. It would also have to do a PAT for outbound SSL traffic for LAN 2.

If I go with this design, I will only need one public address for the outside interface of the ASA.

Lastly, the wireless router I have directly connected to LAN 2 is for the purpose of giving our sales people access to LAN 2. LAN 2 is actually a cabinet full of blade servers, a ToR switch and storage arrays that are all on the same subnet. This is a POD we have for demonstrating certain functionality. So if a sales person is with a client in our office to demonstrate, I dont want him to be on the same wireless network as the one being used by the office users.

What say you, my friend?

New Member

Re: LAN Design Recommendation

By the way, I made a mistake, its a cable modem and it can be set to behave as a bridge or a router - typical dual mode cable modem functionality. I believe I would want it to act as a bridge so that I have control over my own routing environment I dont want to depend on TELCO.

Hall of Fame Super Blue

Re: LAN Design Recommendation

For LAN 2, the ASA's outside interface will have to act as the SSL VPN termination interface. It would also have to do a PAT for outbound SSL traffic for LAN 2.

Not sure what you mean here. Your SSL VPN users will be using public IP's anyway to access the ASA ??

How many useable public IPs do you have ?

As for the general design, if you had to do any routing on the ASA such as redirecting traffic back out the same interface for inter-vlan routing then i wouldn't recommend using an ASA but your design in effect calls for 2 DMZ's ie. LAN 1 & LAN 2 and an outside interface which the ASA is perfect for.

Jon

New Member

Re: LAN Design Recommendation

        "Not sure what you mean here. Your SSL VPN users will be using public IP's anyway to access the ASA ?"

  • I think I confused myself. I was thinking of something else, which is too convoluted to get into now. Correct me if I am wrong, the endpoints of the SSL tunnel are the outside interfaces on both ends. In other words, it is similar to an IPSec tunnel in which data is encapsulated with a new header, the source and destination addresses of which are the public addresses at both ends - client and server.

  • I can have as many public IPs as I need. How many would I need? Just one, correct, for the outside ASA interface?

  • And you are correct, I dont want any inter-LAN traffic between LAN 1 and LAN 2.

  • Why do you say they are 2 DMZs? Why DMZs? Why cant you just say that the ASA has 2 Trusted Networks and 1 outside interface on the untrusted side?

Thanks

Hall of Fame Super Blue

Re: LAN Design Recommendation


Whether or not the data is tunneled depends on the type of SSL VPN. Clientless, as far as i know, simply encrypts the data using SSL but leaves the IP header in tact. But the endpoints as you say are the client and the ASA device.

Number of IPs. Up to you really. Personally to keep things clean i would have 3 - one for the ASA outside interface, and one for each LAN then if you need to track usage futher down the line you can identify who is doing what. However if it's going to cost a lot then yes one would do fine ie. you would be using the same IP to PAT both LAN's outgoing and for the ASA outside interface. Isn't going to make that much difference.

It's always useful to have spare IPs if you can get them at the time of purchase of the line as you never know what you will need.

Why can't you just say that the ASA has 2 Trusted networks

Well i can if the term DMZ offends you It's just another way of looking at it.

Jon

New Member

Re: LAN Design Recommendation

"you would be using the same IP to PAT both LAN's outgoing and for the ASA outside interface"

Jon, thats what I was saying before when I mentioned outbound traffic from LAN being PAT'ed on its way out and you seemed confused.

Lets talk about clientless SSL for a sec.....trying to understand the difference in terms of functionality. From my understanding, clientless SSL allows a remote client limited network access. Its limited to web-based/browser-based applications, like webmail or something like that. The client is not assigned an IP address. Instead, the SSL login page acts as an excrypted portal to certain web-based backend applications.

With a client-based SSL situation (like Cisco's AnyConnect), a remote client will have full access to a remote network - just as if they are sitting on the local LAN. This is similar to IPSec tunnels. The remote client is assigned an IP address by the VPN appliance or a local DHCP server. The remote client is viewed as an internal host by the remote hosts.

I am trying to understand the difference between a client-based SSL setup and an IPSec tunnel. Both offer encryption and both require a client...

Thoughts?

New Member

Re: LAN Design Recommendation

Jon, I guess you gave up on me. :-(

Any other person?

Thanks

Hall of Fame Super Blue

Re: LAN Design Recommendation

ex-engineer wrote:

Jon, I guess you gave up on me. :-(

Any other person?

Thanks

Would i give up on you

I've been away a few days, just catching up on some other stuff and then i'll get back to you.

Jon

Hall of Fame Super Blue

Re: LAN Design Recommendation

As i understand it -

clientless will run any apps that can be run in a web browser. Obviously this limits the number of apps you can run

Anyconnect = client is used so that you can run a greater number of apps ie. you are not limited by the web broswer

Anyconnect and IPSEC both require a client however the difference and advantage of Anyconnect is that you can download the client through the browser on demand as opposed to manually having to install an IPSEC client for a traditional IPSEC VPN client setup so Anyconnect is more flexible and easier to deploy.

Jon

New Member

Re: LAN Design Recommendation

Right. thats the difference between IPSec and SSl. SSL offers more mobility.

Thanks

991
Views
15
Helpful
13
Replies